Symantec reported a major dynamic link library (DLL) code vulnerability that affects three of its enterprise security...
products. DLL code vulnerabilities are usually considered to be lesser threats to enterprises. What is the flaw, and why has Symantec labeled it as a severe vulnerability?
A flaw that allows attackers to load malicious DLL files was found by one of Symantec's senior threat analysis engineers in its IT Management Suite 8.0, Ghost Solution Suite 3.1 and Endpoint Virtualization 7.x products. According to Symantec, the affected products don't use an absolute path when loading DLL files during the boot process.
A DLL has code and data that can be used by multiple applications simultaneously. Just like executable files, DLL files can contain code, data and resources, such as images, but they can be used by more than one program at the same time.
There are many benefits to using shared libraries, including modularity, code reuse, reduced disk space and efficient memory usage and load times. However, if an application dynamically loads a DLL without specifying a fully qualified path to its location, it opens up the possibility of a DLL preloading attack when Windows attempts to locate the DLL file by searching a well-defined set of directories. If an attacker can copy a malicious version of the DLL file into one of these directories, the application may load and execute the malicious DLL file instead of the authorized file that it was expecting. This can enable an attacker to execute code while posing as the user who is running the application. When the application is being run as administrator, this could lead to a local elevation of privilege.
Although many experts see this type of malicious DLL vulnerability as low risk, Symantec classified the issue, listed as CVE-2016-6590, as high risk based on the new Common Vulnerability Scoring System's (CVSS) scoring methodology, which is a mathematical approximation of all possible metric combinations ranked in order of severity.
The fact that this vulnerability can lead to code execution is the main reason it scores highly, even though an attacker would first need to successfully trick an authorized user to visit a malicious website or click on a malicious email link to download the malicious DLL.
Microsoft has provided advice for securely loading DLLs for several years, so it's disappointing that Symantec didn't follow this best practice. Symantec has released updates to address the problem.
Learn about the flaws in the LibTIFF library that could lead to remote code execution
Find out how to spot and eradicate obfuscated macro malware
Discover what CVSS version 3.0 means for vulnerability scoring
Dig Deeper on Network Intrusion Prevention (IPS)
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading